There has been the shift in focus of network attacks from denial of service to system compromise and an increase in the sophistication and success of attacks against application layer protocols. As a result, application layer protocol validation is one example of an approach that has been used to address this shift in focus of network attacks to firewall and intrusion detection and prevention systems. An application filter comprises instructions that provide a supplemental layer of security at a firewall, intrusion detection system or other type of network interface protection apparatus. Application filters can access data stream or datagrams associated with a communication session of a network interface protection apparatus. Application filters can perform protocol-specific or system-specific tasks such as, for example, authentication and virus checking.
Application filters generally require long development lead times for the design, implementation and testing of packet filtering code and the management code to support such packet filtering features. Consequently, it has been impractical to customize application layer filtering features for particular customers and it has been difficult to keep up with the rapid evolution of attacks against these application-layer protocols. Furthermore, such application layer filtering features are typically custom coded (i.e., handcrafted by a programmer) and, thus, introduce high processor overhead and unpredictable latency and jitter in the filtered traffic.
One known approach for providing customized application layer filtering involves creating custom-coded packet inspection features that are then loaded into a firewall to customize or update standard filtering features of the firewall. For example, Check Point Software Technologies of Redwood City, Calif. USA offers a firewall product having functionality that allows a customer (i.e., Checkpoint user) to create packet inspection features using a language provided for that purpose and that is compiled into code that can be loaded into a Checkpoint-specific firewall for customizing or updating standard filtering features of such firewall. The language in which such custom-coded packet inspection features are created is a very low-level language, which necessitated programs providing such custom-coded packet inspection features being fully or at least partially written by hand. However, to achieve more than a very basic level of protocol validation requires a large program that is difficult to validate for correctness.